b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nBriefing Report\n\n\n\n\n       Steps Taken But More Work Needed to\n       Strengthen Governance, Increase\n       Utilization, and Improve Security\n       Planning for the Exchange Network\n\n       Report No. 09-P-0184\n\n       June 30, 2009\n\x0cReport Contributors                           Rudolph M. Brevard\n                                              Cheryl Reid\n                                              David Cofer\n                                              Anita Mooney\n                                              Sejal Shah\n                                              Christina Nelson\n\n\n\n\nAbbreviations\n\nASSERT      Automated System Security Evaluation and Remediation Tracking\nCDX         Central Data Exchange\nEPA         U.S. Environmental Protection Agency\nNIST        National Institute for Standards and Technology\nOIG         Office of Inspector General\nSP          Special Publication\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                      OFFICE OF\n                                                                                 INSPECTOR GENERAL\n\n\n\n\n                                          June 30, 2009\n\nMEMORANDUM\n\nSUBJECT:              Steps Taken But More Work Needed to Strengthen Governance, Increase\n                      Utilization, and Improve Security Planning for the Exchange Network\n                      Report No. 09-P-0184\n\n\nFROM:                 Rudolph M. Brevard\n                      Director, Information Resources Management Assessments\n\nTO:                   Linda Travers\n                      Acting Assistant Administrator and Chief Information Officer\n                      Office of Environmental Information\n\n                      Lisa Schlosser\n                      Director, Office of Information Collection\n                      Office of Environmental Information\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report consists of the briefing presentation\nwe provided to Office of Environmental Information managers on May 4, 2009. This report\ncontains findings that describe the problems the OIG has identified and corrective actions the\nOIG recommends. This report represents the opinion of the OIG and does not necessarily\nrepresent the final EPA position. Final determinations on matters in this report will be made by\nEPA managers in accordance with established audit resolution procedures.\n\nWe sought to determine whether EPA has taken:\n\n   \xe2\x80\xa2   Corrective actions for recommendations made in the audit report Improved Management\n       Practices Needed to Increase Use of Exchange Network, Report No. 2007-P-00030\n       issued August 20, 2007; and\n   \xe2\x80\xa2   Steps to ensure all Exchange Network components comply with federal security\n       requirements.\n\x0cWe conducted this audit from January through May 2009 at EPA Headquarters in Washington,\nDC, in accordance with the generally accepted government auditing standards issued by the\nComptroller General of the United States. These standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions.\n\nWe interviewed EPA personnel responsible for implementing the corrective actions in the prior\nreport and personnel responsible for managing the security activities reviewed. We reviewed\nrelevant security documents and evaluated them against prescribed federal and EPA guidance.\nWe reviewed self-reported security information entered into the Agency\xe2\x80\x99s Automated System\nSecurity Evaluation and Remediation Tracking (ASSERT) system and compared it against\ninformation contained in the provided security documents.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $253,562.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport. We are requesting your response within 45 calendar days. You should include a\ncorrective actions plan for agreed upon actions, including milestone dates.\n\nWe would like to thank your staff for their cooperation. We have no objections to the further\nrelease of this report to the public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at (202) 566-0893\nor brevard.rudy@epa.gov; or Cheryl Reid, Project Manager, at (919) 541-2256 or\nreid.cheryl@epa.gov.\n\x0cSteps Taken But More Work Needed\n to Strengthen Governance, Increase\n  Utilization, and Improve Security\nPlanning for the Exchange Network\n\n           Results of Review\n\n\n\n\n               Report No. 09-P-0184   1\n\x0cObjective 1\n\n\n   Status of Prior Audit Report Recommendations\n\n\n\n\n                   Report No. 09-P-0184           2\n\x0cPrior Audit Report Recommendations\n\n\xc2\x84   Recommendation 2.1 - Acting Assistant Administrator\n    for Environmental Information execute recently\n    developed Exchange Network Communications and\n    Marketing Plan elements that include actively promoting\n    the business value of participating in Network initiatives\n    to EPA and partner environmental program managers.\n\n    Status - Ongoing and progressing\n\n\n\n\n                           Report No. 09-P-0184                  3\n\x0cPrior Audit Report Recommendations\n(Cont.)\n\xc2\x84   Recommendation 2.2 - Acting Assistant Administrator\n    for Environmental Information modify Exchange Network\n    change management policies and procedures to include\n    step-by-step processes for fully testing and certifying all\n    implementation tools before release to the Exchange\n    Network community.\n\n    Status \xe2\x80\x93 Completed; published Principles, Rules, and\n    Procedures for Change Management on the Exchange\n    Network, V1.1, February 19, 2009.\n\n\n\n                           Report No. 09-P-0184                   4\n\x0cPrior Audit Report Recommendations\n(Cont.)\n\n\xc2\x84   Recommendation 3.1 - Acting Assistant Administrator\n    for Environmental Information work with Exchange\n    Network governance bodies to develop and implement a\n    process that uses the Network Business plan criteria to\n    evaluate data flows for future Network implementation.\n\n    Status \xe2\x80\x93 Completed; published 2009 Annual Exchange\n    Network Grant Program Solicitation Notice, September,\n    2008.\n\n\n                          Report No. 09-P-0184                5\n\x0cPrior Audit Report Recommendations\n(Cont.)\n\n\xc2\x84   Recommendation 4.1 - Acting Assistant Administrator for\n    Environmental Information develop a new milestone plan\n    for completing the Exchange Network performance\n    measures project.\n\n    Status \xe2\x80\x93 Completed; first Performance Measures\n    reported May 2008.\n\n\n\n\n                         Report No. 09-P-0184             6\n\x0cPrior Audit Report Recommendations\n(Cont.)\n\n\xc2\x84   Recommendation 4.2 - Acting Assistant\n    Administrator for Environmental Information develop\n    procedures for establishing ad-hoc workgroups for\n    Exchange Network projects.\n\n    Status - Unimplemented\n\n\n\n\n                         Report No. 09-P-0184             7\n\x0cPrior Audit Report Recommendations\n(Cont.)\n\xc2\x84   Recommendation 5.1 - Acting Assistant Administrator\n    for Environmental Information publish standards that\n    specify when EPA program offices must use the\n    Exchange Network when modernizing or developing\n    applications. The standards should also specify the\n    processes EPA offices must follow when the office\n    cannot adhere to the established standards or select an\n    alternate technology solution to the one prescribed.\n\n    Status - Unimplemented\n\n\n\n\n                          Report No. 09-P-0184                8\n\x0cPrior Audit Report Recommendations\n(Cont.)\n\xc2\x84   Recommendation 5.2 - Acting Assistant Administrator for\n    Environmental Information include the Exchange Network\n    and related technologies as part of the Agency\xe2\x80\x99s\n    Enterprise Architecture.\n\n    Status - Unimplemented\n\n\n\n\n                         Report No. 09-P-0184             9\n\x0cPrior Audit Report Recommendations\n(Cont.)\n\xc2\x84   Recommendation 5.3 - Acting Assistant Administrator\n    for Environmental Information have Office of Information\n    Collection complete its plans to develop a tool offices\n    can use to evaluate their applications in regard to\n    Network technologies.\n\n    Status \xe2\x80\x93 Completed March 27, 2008; created a Return\n    on Investment Estimator tool for program offices to use\n    in the early stages of planning new data flows.\n\n\n\n\n                          Report No. 09-P-0184                10\n\x0cOIG Recommendations\nThe Acting Assistant Administrator for\nEnvironmental Information should:\n\n1. Submit an updated Corrective Action Plan for\n   unimplemented recommendations 4-2, 5-1, and 5-2.\n\n2. Update EPA\xe2\x80\x99s Management Audit Tracking System\n   regarding unimplemented recommendations.\n\n\n\n\n                     Report No. 09-P-0184             11\n\x0cObjective 2\n\n\n   Compliance with Federal Security Requirements\n\n\n\n\n                   Report No. 09-P-0184            12\n\x0cCertification & Accreditation (C&A)\n\n\xc2\x84   The current Central Data Exchange (CDX) Certification\n    and Accreditation package is not in compliance with\n    federal security requirements because the approved\n    system security plan, the security assessment report,\n    and the plan of action and milestones do not meet\n    federal and agency requirements.\n\n\n\n\n                         Report No. 09-P-0184               13\n\x0cSecurity Plan & Risk Assessment\n\xc2\x84   Minimum Security Controls are not in compliance with\n    latest National Institute for Standards and Technology\n    (NIST) Special Publication (SP) 800-53, Revision 1.\n\n\xc2\x84   Security plan does not comply with NIST SP 800-18,\n    Revision 1, because the Minimum Security Controls\n    Section does not thoroughly describe how each security\n    control is being implemented, or planned to be\n    implemented.\n\n\xc2\x84   The latest CDX Risk Assessment, dated December 22,\n    2004, is outdated.\n\n\n\n\n                          Report No. 09-P-0184               14\n\x0cContingency Plan\n\xc2\x84   Record of Changes is not maintained, as required by NIST\n    SP 800-34 guidance and the EPA\xe2\x80\x99s Agency Network\n    Security Policy.\n\n\xc2\x84   Office of Environmental Information did not provide\n    documentation to (1) support the existence of a training\n    plan that meets federal policy or guidance, and (2) confirm\n    personnel have been trained on contingency plan\n    responsibilities and procedures within the last two years.\n\n\xc2\x84   Office of Environmental Information has not conducted\n    annual Contingency Plan testing, as required by the CDX\n    Contingency Plan, Section 5. Last test was conducted in\n    March 2006.\n                          Report No. 09-P-0184              15\n\x0cASSERT Reporting\n\xc2\x84   ASSERT reporting for CDX is not accurate.\n    Only:\n    \xc2\x89   33% of the ASSERT data reviewed is supported by\n        the corresponding data in the official security plan.\n    \xc2\x89   25% of the ASSERT assessment entries are\n        compliant with NIST SP 800-18, Revision 1.\n    \xc2\x89   42% of the control elements evaluated in the official\n        security plan are compliant with NIST SP 800-18,\n        Revision 1.\n\n\n\n                            Report No. 09-P-0184                16\n\x0cVulnerability Scanning\n\xc2\x84   Monthly server full system scans and Patchlink reports\n    are not performed, as required by both EPA and CDX\n    policy and procedures.\n\n\xc2\x84   Weekly server full system scans are not being\n    performed, as required by both EPA and CDX policy\n    and procedures.\n\n\n\n\n                         Report No. 09-P-0184                17\n\x0cSummary\n\xc2\x84   Steps needed to ensure the Exchange Network is fully\n    recognized as the preferred method for exchanging\n    environmental information between EPA and its partners,\n    and to strengthen Exchange Network governance.\n\xc2\x84   Emphasis needed to ensure CDX meets the prescribed\n    federal security requirements.\n\n    Without action, management hinders its ability to\n    achieve the desired utilization of the Exchange Network\n    and ensure the Network is operating without\n    vulnerabilities that could put needed data at risk.\n\n\n                         Report No. 09-P-0184                 18\n\x0cOIG Recommendations\nThe Director, Office of Information Collection\nshould:\n3. Recertify and reaccredit CDX.\n\n4. Update the CDX Security Plan to comply with NIST SP\n   800-18, and ensure the plan describes how CDX\n   implements the minimum security controls contained in\n   NIST SP 800-53.\n\n5. Conduct a formal, independent risk assessment of CDX;\n   and ensure CDX is reassessed every three years, as\n   required by EPA policy.\n\n                       Report No. 09-P-0184            19\n\x0cOIG Recommendations (cont.)\n\n6.   Maintain the CDX Contingency Plan Record of\n     Changes, as required by NIST SP 800-34 guidance\n     and EPA\xe2\x80\x99s Network Security Policy.\n\n7.   Develop a CDX Contingency Plan training plan that\n     meets federal requirements and ensure personnel with\n     contingency plan responsibilities receive required\n     training on responsibilities and procedures.\n\n8.   Conduct CDX Contingency Plan testing at least\n     annually, as required by Agency policy and NIST\n     guidance.\n\n                        Report No. 09-P-0184            20\n\x0cOIG Recommendations (cont.)\n9. Ensure data entered into ASSERT are supported either\n   by the system security plan or by other documents\n   referenced in the system security plan.\n\n10. Perform required weekly and monthly network\n    vulnerability testing, as required by EPA and CDX\n    policy and procedures.\n\n11. Issue an Interim Authorization to Operate CDX until\n    CDX is reaccredited.\n\n12. Enter a Plan of Actions and Milestones in the Agency\xe2\x80\x99s\n    information security weakness tracking system for\n    recommendations 3 through 11.\n\n\n                        Report No. 09-P-0184              21\n\x0c'